CTO Blog

CTO Blog

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

BYOD (iPad) meets ‘Secure Journey to the Cloud’

Category :

Is the industry hyping ‘Bring Your Own Device’ (BYOD) as the next big thing? I don’t think so. It’s much more a forced response to users driving the issue by deciding to use their own devices. AND this is the big point: it’s the cloud that allows them to do this. No, not your Enterprise IT idea of a cloud defined by its role in supporting Enterprise IT, but genuine cloud technology accessed via the internet as an extension of the web. This apparently universal situation of users moving beyond smartphones and into tablets, and at the same time changing how they work, is now an established reality almost everywhere.

This is a very worrying situation. Why? Because by definition this is an uncontrolled situation and good IT management and practice is based on firm controls and governance. This, TOGETHER with rethinking how the use of cloud technologies can benefit the IT environment, creates a huge spread of possibilities equaled only by the huge spread of security risks that goes with it. There is a further dimension to this and that’s doing business with customers, suppliers and others externally, certainly through the use of ‘content-driven’ forms on websites and increasingly via orchestrated services and apps using a cloud. All of these activities are in play at once with great pressure on delivering or accepting their deployment. 

Put Governance for Security in Place before Tackling BYOD

No wonder this resonated with me when I read a new whitepaper by colleagues at Capgemini entitled ‘Secure journey to the cloud – a matter of control’. I will leave you to read the full paper, which separates the various ways clouds are used and defines the appropriate approach to address each one. As is usually the case with dauntingly complex topics, the paper succeeds by breaking the whole down into addressable parts. This is important because before tackling BYOD there is a need to identify and put in place this level of fundamental governance for security.

Dismissing BYOD as ‘Not allowed’ is not the Answer

I want to focus on BYOD because it is simply a huge ‘out of control’ reality that pretty much everywhere needs to have a spotlight shone on it. There is a tendency to try to dismiss it by saying that it’s not allowed. But that doesn’t work and won’t work, particularly as there are too many board level executives in leading roles who have adopted BYOD! I have heard the iPad in particular called the ‘executive revolution’ and there is plenty of evidence in support of the desire to adopt and deploy. Interestingly, this support is coming from some of the major IT vendors too. SAP published a compelling article entitled ‘iPads have helped some of this company’s salespeople double their sales’ in which they quote not only themselves but IBM as commercial leaders. It’s hard for Enterprise IT to argue against adoption on the grounds of endangering the ERP systems when SAP is arguing for adoption!

There are whole sites now dedicated to using iPads in business with lots of good examples of making commercial benefits in different areas, as well as practical tips on the technology and its management. The somewhat wrongly (to my eyes, at least) entitled iPadCTO site is a good example, though I think it should have been called iPadExecutive given the content. I recommend a visit to get a really good grounding in the business iPad revolution. There are indexed vertical industry sector examples to be found at the ipadtowork site and frankly any business press has plenty to say on the topic. Clearly the ‘not here’ argument isn’t going to work at any level in the face of this level of factual examples.

How to Approach Cloud Security and BYOD

So onto practical steps: there is obviously a need to assess the risk posed by the device itself. And there is surprisingly little information on this because, as you will discover on the eSecurity Planet website  the simplicity of the operating system and its design features limits the threat opportunities. Equally, its operational manner via the Apple app shop (which is a cloud by-the-way, albeit an interesting example of a publicly accessible one with strict private management and access) makes for further security. And of course iPads and other BYODs are naturally being operated by users, and should be maintained by conscious policy as devices ‘outside the firewall’. The concept of defining this as ‘outside-in’ (see the Capgemini whitepaper on this) is catching on in the industry and it means that Enterprise IT ‘inside the firewall’ or ‘inside-out’ is safely isolated.

The big risk is the users themselves and their behavior. This is particularly so with email and attached documents or passwords stored in contact files. In short, the number one issue to ‘secure’ is the user! This is a recognizable fact in conventional security too, but with BYOD the IT department’s ‘controlling’ capabilities are too limited for real safety. I may be wrong but I reckon that something beyond the rules and guidelines is required to shock users into the reality of the personal risk. One good answer is to include a reference to the pwnedlist website where a quick anonymous check can be made on any email address to see if it has been hacked. I would also urge a monthly check of your email address at https://www.pwnedlist.com/ to test if you are one of the more than 12 million currently known to have been compromised. Now that makes it VERY personal!

So two routes in combination: go ‘Enterprise out’ towards the cloud using a structured approach and tools; at the same time, opt for ‘User in’ around BYOD and the new level of personal risk. If you can break up the ‘haze’ then the safe adoption of the many beneficial aspects of the cloud is achievable.

About the author

Andy Mulholland
Andy Mulholland
Capgemini Global Chief Technology Officer until his retirement in 2012, Andy was a member of the Capgemini Group management board and advised on all aspects of technology-driven market changes, together with being a member of the Policy Board for the British Computer Society. Andy is the author of many white papers, and the co-author three books that have charted the current changes in technology and its use by business starting in 2006 with ‘Mashup Corporations’ detailing how enterprises could make use of Web 2.0 to develop new go to market propositions. This was followed in May 2008 by Mesh Collaboration focussing on the impact of Web 2.0 on the enterprise front office and its working techniques, then in 2010 “Enterprise Cloud Computing: A Strategy Guide for Business and Technology leaders” co-authored with well-known academic Peter Fingar and one of the leading authorities on business process, John Pyke. The book describes the wider business implications of Cloud Computing with the promise of on-demand business innovation. It looks at how businesses trade differently on the web using mash-ups but also the challenges in managing more frequent change through social tools, and what happens when cloud comes into play in fully fledged operations. Andy was voted one of the top 25 most influential CTOs in the world in 2009 by InfoWorld and is grateful to readers of Computing Weekly who voted the Capgemini CTOblog the best Blog for Business Managers and CIOs each year for the last three years.
1 Comment Leave a comment
Hey buddy,this is one of the best posts that I’ve ever seen; you may include some more ideas in the same theme. I’m still waiting for some interesting thoughts from your side in your next post. <a href="http://www.bestcustomwriting.com/power-point-presentation">power point presentations</a>

Leave a comment

Your email address will not be published. Required fields are marked *.